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Abstract. Choreography-based approaches to service composition typically as- 
sume that, after a set of services has been found which correctly play the roles 
prescribed by the choreography, each service respects his role. Honest services 
are not protected against adversaries. We propose a model for contracts based 
on a extension of Petri nets, which allows services to protect themselves while 
still realizing the choreography. We relate this model with Propositional Contract 
Logic, by showing a translation of formulae into our Petri nets which preserves 
the logical notion of agreement, and allows for compositional verification. 



1 Introduction 

Many of today's human activities, from business and financial transactions, to collabo- 
rative and social applications, run over complex interorganizational systems, based on 
service-oriented computing (SOC) and cloud computing technologies. These technolo- 
gies foster the implementation of complex software systems through the composition 
of basic building blocks, called services. Ensuring reliable coordination of such com- 
ponents is fundamental to avoid critical, possibly irreparable problems, ranging from 
economic losses in case of commercial activities, to risks for human life in case of 
safety-critical applications. 

Ideally, in the SOC paradigm an application is constructed by dynamically discov- 
ering and composing services published by different organizations. Services have to co- 
operate to achieve the overall goals, while at the same time they may have to compete, 
to achieve the specific goals of their stakeholders. These objectives may be conflicting, 
especially in the case of mutually distrusted organizations. Therefore, services must 
play a double role: while cooperating together, they have to protect themselves against 
other service's misbehavior (either unintentional or malicious). 

The lack of precise guarantees about the reliability and security of services is a main 
deterrent for industries wishing to move their applications and business to the cloud [3], 
Quoting from [3], "absent radical improvements in security technology, we expect that 
users will use contracts and courts, rather than clever security engineering, to guard 
against provider malfeasance". 

Indeed, contracts are already a key ingredient in the design of SOC applications. A 
choreography is a specification of the overall behavior of an interorganizational process. 
This global view of the behavior is projected into a set of local views, which specify 
the behavior expected from each service involved in the whole process. The local views 
can be interpreted as the service contracts: if the actual implementation of each service 
respects its contract, then the overall application must be guaranteed to behave correctly. 



There are many proposals of formal models for contracts in the literature, which 
we may roughly divide into "physical" and "logical" models. Physical contracts take 
inspiration mainly from formalisms for concurrent systems (e.g. Petri nets [16], event 
structures [12,4], and various sorts of process algebras [6-8, 10, 13]), and they allow to 
describe the interaction of services in terms of response to events, message exchanges, 
etc. On the other side, logical contracts are typically expressed as formulae of suitable 
logics, which take inspiration and extend e.g. modal [1, 11], intuitionistic [2,5], lin- 
ear [2], deontic [14] logics to model high-level concepts such as promises, obligations, 
prohibitions, authorizations, etc. 

Even though logical contracts are appealing, since they aim to provide formal mod- 
els and reasoning tools for real-world Service Level Agreements, existing logical ap- 
proaches have not had a great impact on the design of SOC applications. A reason is that 
there is no evidence on how to relate high-level properties of a contract with properties 
of the services which have to realize it. The situation is decidedly better in the realm of 
physical contracts, where the gap between contracts and services is narrower. Several 
papers, e.g. [7-9, 13, 16], address the issue of relating properties of a choreography with 
properties of the services which implement it (e.g. deadlock freedom, communication 
error freedom, session fidelity), in some cases providing automatic tools to project the 
choreography to a set services which correctly implements it. 

A common assumption of most of these approaches is that services are honest, in 
that their behavior always adheres to the local view. For instance, if the local view takes 
the form of a behavioral type, it is assumed that the service is typeable, and that its type 
is a subtype of the local view. Therefore, contracts are only used in the "matchmaking" 
phase: once, for each local view projected from the choreography, a compliant service 
has been found, then all the contracts can be discarded. 

We argue that the honesty assumption is not suitable in the case of interorganiza- 
tional processes, where services may pursue their providers goals to the detriment to 
the other ones. For instance, consider a choreography which prescribes that a partici- 
pant A performs action a (modeling e.g. "pay $100 to B"), and that B performs b (e.g. 
"provide A with 5GB disk storage"). If both A and B are honest, then each one will 
perform its due action, so leading to a correct execution of the choreography. However, 
since providers have full control of the services they run, there is no authority which 
can enforce that a service is honest. So, a malicious provider can replace a service val- 
idated w.r.t. its contract, with another one: e.g., B could wait until A has done a, and 
then "forget" to do b. Note that B may perform his scam while not being liable for a 
contract violation, since contracts have been discarded after validation. 

In such competitive scenarios, the role of contracts is twofold. On the one hand, 
they must guarantee that their composition complies with the choreography: hence, in 
contexts where services are honest, the overall execution is correct. On the other hand, 
contracts must protect services from malicious ones: in the example above, the contract 
of A must ensure that, if A performs a, then B will either do b, or he will be considered 
culpable of a contract violation. 

In this paper, we consider physical contracts modeled as Petri nets, along the lines 
of [16]. In our approach we can both start from a choreography (modeled as a Petri net) 
and then obtain the local views by projection, as in [16], or start from the local views, i.e. 
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the contracts published by each participant, to construct a choreography which satisfies 
the goals of everybody. Intuitively, when this happens the contracts admit an agreement. 

A crucial observation about [16] is that if the contracts admit an agreement, then 
some participant is not protected, and vice-versa. The archetypical example is the one 
outlined above. Intuitively, if each participant waits until the other one has performed 
her action, then both participants are protected, but the contracts do not admit an agree- 
ment because there is a deadlock. Otherwise, if a participant performs her action without 
waiting for the other one, then the contracts admit an agreement, but the participant who 
makes the first step is not protected. 

To overcome this problem, we introduce lending Petri nets (in short, LPN). Roughly, 
a LPN is a Petri net where some places may produce tokens "on credit". Technically, 
when a place gives a token on credit its marking will become negative. This differs 
from standard Petri nets, where markings are always nonnegative. The intuition is that 
if a participant takes a token on credit, then it is obliged to honour it — otherwise he is 
culpable of a contract violation. 

Differently from the Petri nets used in [16], LPNs allow for modeling contracts 
which, at the same time, admit an agreement (more formally, weakly terminate) and 
protect their participants. LPNs preserve one of the main results of [16], i.e. the possi- 
bility of proving that an application respects a choreography, by only locally verifying 
the services which compose it. More precisely, we project a choreography to a set of 
local views, independently refine each of them, and be guaranteed then the composition 
of all refinements respects the choreography. This is stated formally in Theorem 1 . 

The other main contribution is a relation between the logical contracts of [5] and 
LPN contracts. More precisely, we consider contracts expressed in (a fragment of) 
Propositional Contract Logic (PCL), and we compile them into LPNs. Theorem 2 states 
that a PCL contract admits an agreement if and only if its compilation weakly termi- 
nates. Summing up, Theorem 3 states that one can start from a choreography repre- 
sented as a logical contract, compile it to a physical one, and then use Theorem 1 to 
project it to a set services which correctly implement it, and which are protected against 
adversaries. Finally, Theorem 4 relates logical and physical characterizations of urgent 
actions, i.e. those actions which must be performed in a given state of the contract. 

Structure of the paper. In Sect. 2 we review Petri nets. We introduce lending Petri nets 
in Sect. 3, and in Sect. 4 we use them in a model for contracts. In Sect. 5 we recap the 
logic PCL . In Sect. 6 we show how to construct a physical contract from a logical one, 
and we state our main results. Finally, in Sect. 7 we draw some conclusions. 

2 Nets 

In this section we briefly review Petri nets (labelled on a set T) and the token game. 
Definition 1. A labelled Petri net is a 5-tuple (S, T,F,r,A), where 

- S is a set o/ - places, and T is a set of transitions (withSHT = %), 

- F C (S x T) U (T x S) is the flow relation, 

- r : S — > T is a partial labeling function for places, and 

- A : T — > T is a partial labeling function for transitions. 
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Ordinary (non labeled) Petri nets are those where the two labeling functions are always 
undefined (i.e. equal to J_). We require that for each t G T, F(t,s) > for some place 
s e S (a transition cannot happen spontaneously). Subscripts on the net name carry 
over the names of the net components. As usual, we define the preset and post-set of 
a transition/place: *x = {y G T U S \ F(y,x) > 0} and x* = {y G T U S \ F(x,y) > 0}, 
respectively. These are extended to subsets of transitions/places in the obvious way. 

A marking is a function m from places to natural numbers (i.e. a multiset over 
places), which represents the state of the system modeled by the net. 

Definition 2. A marked Petri net is a pairN — ((S,T,F,r,A),mo), where 

- (S,T,F,r,A) is a labelled Petri net, and 

- mo : S — > N is the initial marking. 

The dynamic of a net is described by the execution of transitions at markings. Let N be 
a marked net (hereafter we will just call net a marked net). A transition t is enabled at 
a marking m if the places in the pre-set of t contains enough tokens (i.e. if m contains 
the pre-set of t). Formally, t G T is enabled at m if m{s) > F(s,t) for all s G 't. In 
this case, to indicate that the execution of t in m produces the new marking m'(s) = 
m(s) — F(s,t) + F(t,s), we write m[t)m', and we call it a step 1 . This notion can be 
lifted, as usual, to multisets of transitions. 

The notion of step leads to that of execution of a net. Let N — ((S,T,F,r,A), mo) be 
a net, and let m be a marking. The firing sequences starting at m are defined as follows: 

- m is a firing sequence, and 

- if m \t\ ) m\ ■ ■ ■ m n -i \t n ) m n is a firing sequence and m n [t) m! is a step, then 
m \t\)m\ ■ ■■m n -\ [t n )m n \t)m! is a firing sequence. 

A marking m is reachable iff there exists a firing sequence starting at mo leading to 
it. The set of reachable markings of a net is denoted with M(N). A trace can be 
associated to each firing sequence, which is the word on T* obtained by the firing se- 
quence considering just the (labels of the) transitions and forgetting the markings: if 
mo [h)m\ ■ ■ -m n -\ [t„)m n is a firing sequence of N, the associated trace is A(fif2 ...t n ). 
The trace associated to mo is the empty word e. If the label of a transition is unde- 
fined then the associated word is the empty one. The traces of a net N are denoted with 
Traces(N). A net N = ((S,T,F,F,A) ,mo) is safe when each marking m G M(N) is such 
thatm(s) < 1 for all sG S. 

A net property (intuitively, a property of the system modeled as a Petri net) can 
be characterized in several ways, e.g. as a set of markings (states of the system). The 
following definition captures the intuition that, notwithstanding the state (marking) 
reached by the system, it is always possible to reach a state satisfying the property. 

Definition 3. We say that N weakly terminates in a set of markings M iff for each 
m G M(jV), there is a firing sequence starting at m and leading to a marking in M. 

A subnet of a net is a net obtained by restricting places and transitions, and corre- 
spondingly the flow relation and the initial marking. 

1 The word step is usually reserved to the execution of a subset of transitions, but here we prefer 
to stress the computational interpretation. 
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Definition 4. LetN '= ((S,T,F,r,A),mo) be a net, and let T' C T. We define the subnet 
generated by T' as the netN\ T i = ((S' ,7" ,F' ,r' ,A') ,m' ), where 



- S' = {s e S F(t,s) >0orF(s,t) >0fort e T'}U{seS \ m(s) > 0}, 

- F' is the flow relation restricted to S' and T', 

- r' is obtained by T restricting to places in S 1 , 

- A' is obtained by A restricting to transitions in T', and 

- m' Q is obtained by mq restricting to places in S' 

We now introduce occurrence nets. The intuition behind this notion is the follow- 
ing: regardless how tokens are produced or consumed, an occurrence net guarantees 
that each transition can occur only once (hence the reason for calling them occurrence 
nets). We adopt the definition proposed by van Glabbeek and Plotkin in [17], namely 1- 
occurrence nets. For a multiset M, we denote by [[M]] the multiset defined as [[M]] (a) = 1 
if M(a) > and [[M]](a) = otherwise. 

A state of a net N = ((S, T,F,r,A),mo) is any finite multiset X of T such that the 
function mx '■ S — > Z given by nix(s) — mo(s) +Lfer^( f ) " (-F(M) — F( s ^)), for all 
s G S, is a reachable marking of the net. We denote by St(A^) the states of A state 
contains (in no order) all the occurrence of the transitions that have been fired to reach 
a marking. Observe that a trace of a net is a suitable linearization of the elements of a 
state X. We use the notion of state to define occurrence nets. 

Definition 5. An occurrence net O = ((S, T,F,F,A),mo) is a net where each state is a 
set, i.e. VX eSt(N).X= [[X]]. 

We end this part defining when a net is correctly labeled. For a net to be correctly 
labeled it is required that all the transitions in the pre-set of a labeled place have the 
same label. Formally: 

Definition 6. A netN is correctly labeled iffVs.Vt/ £ 's. F(s) ^ _L => A(t) = A(f'). 

Intuitively we require that all the transitions putting a token in a labeled places 
represent the same action. 

3 Nets with lending places 

We now relax the conditions under which transitions may be executed, by allowing a 
transition to consume tokens from a place s even if the s does not contain enough tokens. 
Consequently, we allow markings with negative numbers. When the number of tokens 
associated to a place becomes negative, we say that they have been done on credit. We 
do not permit this to happen in all places, but only in the lending places (a subset £ of 
S). Lending places are depicted with a double circle. 

Definition?. A lending Petri net (LPN) is a triple N — ({S,T,F,r,A),mo,£) where 
( (S, r, F, r, A) , mo) is a marked Petri net, and L C S is the set of lending places. 
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Fig. 1. A lending Petri net. 



Example 1. Consider the LPN in Fig. 1. The places pj and p4 are lending places. The 
set of labels of the transitions is T = {a, b, c}, and the set of labels of the places is S = 7. 
The labeling is T(pi) = c,T(p2) = a andr(/?4) = r(p^) = b (the place po is unlabeled). 

The notion of step is adapted to take into account this new kind of places. Let N 
be an LPN, let t be a transition in T, and let m be a marking. We say that t is enabled 
at m iff Ms G *t. m(s) < ==> s G £. The evolution of N is defined as before, with 
the difference that the obtained marking is now a function from places to Z (instead 
of N). This notion matches the intuition behind of lending places: we want to allow a 
transition to be executed even when some of the transitions that are a pre-requisite have 
not been executed yet. This leads us to the following definition: 

Definition 8. Let mbe a reachable marking of an LPN N. We say that m is honored iff 

m{s) > for all place s ofN. 

An honored firing sequence is a firing sequence where the final marking is honored. 
Note that if the net has no lending places, then all the reachable markings are honored. 

Example 2. In the net of Ex. 1, the transition c is enabled even if there are no tokens in 
the places p2 and p4 in its pre-set, as they are lending places. The other transitions are 
not enabled, hence at the initial marking only c may be executed (on credit). After firing 
c, only b can be executed. This results in putting one token in pi and one in pn, hence 
giving back the one taken on credit. After this, only a can be executed. Upon firing c, b 
and a, the marking is honored. The net is clearly a (correctly labeled) occurrence net. 

We introduce now a notion of composition of LPNs, which identifies places in the 
components provided that they have the same label. The idea is that the places with a 
label are places in an interface of the net (though we do not put any limitation on such 
places, as done e.g. in [16]) and they never are initially marked. 

Definitions Let N = ((S,T,F,F,A),m ,£) and N' = {{S' ,T' ,F' ,T' ,A'),m' ,L') be 
two LPNs. We say that N,N' are compatible whenever (a) they have the same set of 
labels, (b) SnS' = 0, (c) T n V = 0, (d) m {s) = 1 implies that T(s) = _L, and (e) 
m o( s ') = ^ implies that T'(s') = L. When N and N' are compatible, we define their 
composition N ®N' as the LPN ({S,TL)T',F,t,A),rho, £) in Fig. 2. 

The underlying idea of LPN composition is rather simple: each place in the first net 
bearing a specific label is paired with another in the second net bearing the same label 
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{( s ,s') esxs' | r(s) = ry)}u 
s = {ses r(.v) = _l or W e 5'. r(.v) ^ ry)} u 
e s' | r'(.v') = ± or Vi € s. r(.v) / ry )} 

F(s,f) <^=> (s = (s u s 2 ) A ? = fi € J A F(*i,fi)) V (f = (si,s 2 ) A f = f 2 ET'a F'(j 2 ,? 2 )) 

V (§ = s\ eS A ? = fi eT A F(*!,fi)) V (s = s 2 €S l A f = f 2 £ F' A F'(s 2 ,f 2 )) 
F(?,s) <^=> (s = (,vi,.s 2 ) A ? = fi € F A F(t u si)) V (f = (si,5 2 ) A t = t 2 ET'a F'(t 2 ,*2)) 

v (* = «i es a ? = fi er a F(n,*i)) v (§ = s 2 €& a ? = r 2 e r' a f'(< 2 ,s 2 )) 

r(.vi ) i/ f = , s 2 ) or f = s\ e 5 
r'(.9 2 ) ifs = s 2 €S' 



m 

A(f) 



A(fO ifi=t x eT 
A'( f2 ) ifi = t 2 eT' 



1 if f = i'! e 5 and mo(si ) = 1, or s = s 2 e 5' and mQ(s 2 ) = 1 
otherwise 



m (s) = 

£ = {.? = (s u s 2 ) I i'l e£ or.s- 2 e£'}U{f = i'i I i'i e£}U{.s' = .s' 2 I s 2 €£'} 



Fig. 2. Composition of two LPNs. 



and vice versa. This potentially increases the number of places in the composed nets. All 
the other ingredients of the compound net are trivially inherited from the components. 
Observe that, when composing two compatible nets N and N' such that T(S) H T'(S') = 
0, we obtain the disjoint union of the two nets. Further, if the common label a 6 T(S) D 
r'(S') is associated in N to a place s with empty post-set and in N' to a place s' with 
empty post-set (or vice versa) and the labelings are injective, we obtain precisely the 
composition defined in [16]. 

Example 3. Consider the nets in Fig. 3. Net N fires a after b has been performed; dually, 
net N' waits for b before firing a. These nets model two participants which protect 
themselves by waiting the other participant to make the first step. Clearly, no agreement 
is possible in this scenario. This is modelled by the deadlock in the composition A© A', 
where neither transitions a and b cannot be fired. Consider now the LPN A", which 
differs from A only for the lending place p'[. This models a participant which may fire 
a on credit, under the guarantee that the credit will be eventually honoured by the other 
participant performing b (hence, the participant modeled by N" is still protected). The 
composition N" ©A' weakly terminates, because transition a can take a token on credit 
from (p\,p 2 ), and then transition b can be fired, so honouring the debit in (pi,p' 2 ). 

The operation © is clearly associative and commutative. 

Proposition 1. LetN\, N 2 andN^ be three compatible LPNs. Then, N\ ©A 2 = A 2 ffiAi 
and Ni © (N 2 © A 3 ) = {N\ © N 2 ) © A 3 . 

The composition we have defined does not have the property that, in general, con- 
sidering only the transitions of the one of the components, we obtain the LPN we started 
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Fig. 3. Three LPNs (top) and their pairwise compositions (bottom). 



with, i.e. (N\ A^)|r; ^ M, and this because the places with labels increases and new 
arcs may be added, and these places are not forgotten when considering the subnet gen- 
erated by 7}. However these added places are not initially marked, hence it may be that 
the nets have the same traces. 

Definition 10. Let N and N' two LPNs on the same sets of labels. We say that N ap- 
proximates N' (N < N') iffTraces(N) C Traces(N'). We say N,N' equivalent (N ~ N') 
iffN<N' andN' <N. 

Hence it would be nice to have that (Ni ©A^)!^ ~ A 7 ,-. Unfortunately this is not in 
general true, though (N\ ©A^li- and Nj are almost the same net: all the traces of Ni 
are also traces of (Ni (BN2) I7; (which may have some more traces as in the composition 
some place that are also in Nj may become lending). 

Proposition 2. For two compatible LPNs N\,N 2 , N < (Ni ®N 2 )\Ti,fi>r i = 1,2. 

Following [16] we introduce a notion of refinement (called accordance in [16]) 
between two LPNs. An example is in Fig. 4. We say that M is a strategy for an LPN A^ 
if N®M is weakly terminating. With §(N) we denote the set of all strategies for N. 

Definition 11. An LPN N' refines N ifS(N') 2 §(N). 

Proposition 3. IfN' refines N and N weakly terminates in M, then N' weakly termi- 
nates in M. 

If a weakly terminating LPN Af is obtained by composition of several nets, i.e. N = 
QjNi, we can ask what happens if there is an N[ which refines N, for each i. The 
following theorem give the desired answer. 

Theorem 1. Let N = 0,^ be a weakly terminating LPN, and assume that N[ refines 
Nufor all i. Then, N' = ©,-A 7 / is a weakly terminating LPN. 
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Fig. 4. A net N and its refinement N'. 



Indeed, this theorem gives a compositional criterion to check weak termination of 
a SOC application. One starts from an abstract specification (e.g. a choreography), 
projects it into a set of local views, and then refines each of them into a service im- 
plementation. These services can be verified independently (for refinement), and it is 
guaranteed that their composition still enjoys weak termination. 

We now define, starting from a marking m, which are the actions which may be 
performed immediately after, while preserving the ability to reach an honored marking. 
We call these actions urgent. Consider e.g. the nets in Ex. 3. In the net N" © N' the only 
urgent action at the initial marking is a, while b is urgent at the marking where the place 
{PiiP'i) i s marked. In the net N" there are no urgent actions at the initial marking, since 
no honored marking is reachable. In the other nets (N, N',N®N') no actions are urgent 
in the initial marking, since these nets are deadlocked. 

Definition 12. For an LPN N and a marking m G M (N), we say that a is urgent at m iff 

there exists a firing sequence m[t\) ■■■ \t n ) m n such that A(f ) = a and m n is honored. 

4 Physical contracts 

In this section we present a model for physical contracts, based on LPNs. Let Tbe a de- 
numberable set of actions, ranged over by a, b, . . ., and let Part be a denumerable set of 
participants, ranged over by A, B, . . .. Actions are performed by participants under var- 
ious circumstances that can be naturally represented as LPNs. We assume that actions 
may only be performed once. Therefore, we can consider a subclass of LPNs, namely 
occurrence nets where all the transitions with the same label are mutually exclusive. A 
physical contract an LPN, together with a set of participants A C Part, a mapping from 
actions a G 7 to participants Jt(a) G A. 

Definition 13. A contract net T> is a tuple (0,A,n,&), where O = ((S,T,F, T,A), 
mo,L) is an occurrence LPN labeled on 7 such that 

- if mo(s) = 1 then 's = and T(s) = _L, 

- Vf,f' G T. A(f) = A(f') => 3s G *f ("1 V such that mo(s) = 1, 

- Vf G T. \/s G t\ A(t) = T(s), and 

- Vs G L. F(s) G T; 

the set A determines the participants bound by the contract; K : 7 — > Part associates 
each action to a participant; Q is a set of subsets of 7, modeling the states ofD where 
all the participant in A are satisfied. 
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Technically, it is also convenient to postulate that (a) Jt(A(r)) = A, to model that 
only the participants in A may perform an action, (b) labelled places are never initially 
marked, (c) each transition has at least a non-lending place in its preset, and (d) lending 
places are always labelled. 

Given a state X of the occurrence net O = ((S, T,F, r,A),mo,£>) which is a part of a 
contract net CD, the reached marking m tells us which actions have been performed (not 
which transitions have been executed) and which tokens have been taken on credit. We 
say that the configuration /u(m) associated to a marking m the pair (C,Y) defined as: 

- C = {aeT | 3s eS. {s} = f) tGT {'t | A(f) = a} andm{s) =0}, and 

- Y = {a G 1 | 3s G S. a = F(s) and m(s) < 0} 

The first component is the set of the labels of the transitions in X. If m is honored, then 
the second component of n{m) is empty. 

We conclude this section by stating the conditions under which two contract nets 
may be composed, namely that an action can be performed only by one of the compo- 
nents (the other may use the tokens that the execution of the action has produced). 

Definition 14. Two contracts nets CD = (0,A,n,Cl) and CD' = (0',A',n', Cl') are com- 
patible whenever O © O' is defined and A(T) n A' \T') = 0. 

The composition of CD and CD' is then the obvious extension of the one on LPNs: 

Definition 15. Let CD = (0,A,n,Cl) and CD' = (0',A',n f , Cl') two compatible contract 
nets. Then CD © CD' = (0®0' ,AUA' ,Tlon' ,Cl") where CI" = {XUX' \ X 6 Cl,X' E CI'}. 

We use the same symbol to denote the composition of LPN nets and of contract nets, 
being the latter based on the former. 

Let CD = (0,A,%,ok,Cl), the notion of weak termination can be lifted to contract 
nets as follows: the set of markings used in the definition is obtained by CI as follows: 
3Vtn = {m eM(0) | n(m) = (C,0) and C G CI}. To simplify the notation we say that 
CD weakly terminate w.r.t. CI whenever O weakly terminate with respect to Mq. 

We now extend the notion of urgent actions given for LPN (Def. 12) to contract 
nets. Here, urgent actions are parametrized by the set C of actions already performed. 

Definition 16. Let CD = (0,A,n,Cl) be a contract net, and let C C T. We define: 
U C (CD) = {a G 7 | 3Y C 7. 3m e M(0). n{m) = {C,Y) A a is urgent at m} 

5 Logical contracts 

In this section we model contracts as formulae of the propositional contract logic PCL [5] 
PCL extends intuitionistic propositional logic IPC with the connective -», called con- 
tractual implication. The intuition is that, differently from IPC, a formula b ^> a implies 
a not only when b is true, like IPC implication, but also in the case that a "compatible" 
formula, e.g. a -» b, holds. So, PCL allows for a sort of "circular" assume-guarantee 
reasoning, summarized by the theorem (b ^> a) A (a ^> b) — > a A b. 

The syntax of PCL extends that of IPC with the contractual implication connec- 
tive -». We assume a denumerable set T of atoms (prime formulae). The symbol T 
denotes "true". PCL formulae are ranged over greek letters (p, cp', . . .. 
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Definition 17. The Hilbert-style axiomatisation of PCL extends that of IPC with the 
following three axioms: 

T ^> T (9 -» 9) ->• 9 (9' ->• 9) ->• (9 -» \|/) ->■ (\|/ ->• V) -> (9' -» V) 

In [5] a Gentzen-style proof system is given (here in Fig. 7 in the Appendix). The 
proof system enjoys cut elimination and the subformula property. The decidability of 
the entailment relation h is a direct consequence of these facts. 

To model contracts, we consider the Horn fragment of PCL , which comprises atoms, 
conjunctions, and non-nested (intuitionistic/contractual) implications. 

Definition 18. Let Horn PCL formulae 9, 9', . . . be defined as follows: 

9 Aiea OC, a ::= A; G g bj | (A; G j a,) -> b | (/\ ie3 a,) -» b 

A PCL contract is a tuple (<p,A,K,Q.) where 9 is a Horn PCL formula, A is a finite set 
of participants, % : 7 — > Part associates each atom with a participant, and Q. C p(T) is 
?/ze sef of goals of the participants. 

Hereafter, we shall only consider contracts such that if 9 h (po a), for o e {— >, -»}, 
then 71(a) e A Indeed, a clause p — >• a models the promise to do action a, provided that 
the premises p have been performed, and A models the set of participants which can 
promise to do something in 6. The requirement above asks that if a contract promises 
to do a (under whatever premises), then a must be an action of some participant in A. 

Example 4. Suppose three kids want to play together. Alice has a toy airplane, Bob 
has a bike, and Carl has a toy car. Each of the kids is willing to share his toy, but they 
have different constraints: Alice will lend her airplane only after Bob has allowed her 
ride his bike; Bob will lend his bike after he has played with Carl's car; Carl will lend 
his car if the other two kids promise to eventually let him play with their toys. Let 
71 = {a M> A, b h-» B,c h-» C}. The kids contract are modeled as follows: 

(b^a,{A},7C,{{b}}) (c^b,{B},7C,{{c}}) <(aAb)^c,{C},7C,{{a,b}}> 

A contract admits an agreement when all the involved participants can reach their 
goals. This is formalized in Def. 19 below. 

Definition 19. A PCL contract C admits an agreement iff3X e £1. 9 h /\X. 

We now define composition of PCL contracts. If 6' is the contract written by an 
adversary of 6, then a naive composition of the two contracts could easily lead to an 
attack, e.g. when Mallory's contract says that Alice is obliged to give him her airplane. 
To prevent from such kinds of attacks, contract composition is a partial operation. We 
do not compose contracts which bind the same participant, or which disagree on the 
association between atoms and participants. 

Definition 20. Two PCL contracts G = (<p,A,lt,£l) and & = {tf ,A' ,Q!) are com- 
patible whenever A(lA' = 0, andMk eAl)A'. 7C _1 (A) = 7C /_1 (A). IfG, & are com- 
patible, we define their composition as 6 | 6' = (9 A(p',AUA',non',Cl | Cl'), where 
£l\£l' = {XUX' I X e Q., X' e Q'}. 
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S =Tx(rx{*}) 

T ={(Xa,0)|A^^a}u{(X,a,®)|AX^a} 

F ={{s,t) | s ={&,*), t=(X,a,z)} U {(s,t) | s={a,t),t = (X,c,z), aeX}l) 
{{t,s) | s= (a,x), t= (X,a,z), x^*} 

r(j-) = if j = (a,x) with x 6 r then a else _L 

A(f) = if t = (X,a,z) then a else ± 

fno(s) = if s = (a, *) then 1 else 

£ = {s e S I .v = (a,f) and t = (X,c,@) with X ^ 0} 

Fig. 5. Translation from logical to physical contracts. 

Example 5. The three contracts in Ex. 4 are compatible, and their composition is: 

6 = (cp,{A,B,C},{a^A,b^B,c^C},{{a,b,c}}> 

where (p = (b -> a) A (c -> b) A ((a A b) ^> c) . 6 has an agreement, since (p h a A b A c. 

Note that, in the previous example, to have an agreement it is crucial that Carl's 
contract allows the action c to happen "on credit" before the other events are performed. 

6 From logical to physical contracts 

In this section we show, starting from a logical contract, how to construct a physical 
one which preserves the agreement property. Technically, we shall relate provability in 
PCL to reachability of suitable configurations in the associated LPN. The idea of our 
construction is to translate each Horn clause of a PCL formula into a transition of an 
LPN, labelled with the action in the conclusion of the clause. 

Definition 21. Let 6 = (q>,A,n,Q.) be a PCL contract. We define the contract net 7(G) 
as (((S,T,F,r,A),mo,£),A,%,Q.) in Fig. 5. 

The transitions associated to G are a subset T of p(7) x T x {®,0}. For each 
intuitionistic/contractual implication, we introduce a transition as follows. A clause 
/\X -» a maps to (X,a,@) e T, while /\X — > a maps to (X,a,0) E T. A formula 
AjeS by i s dealt with as a set of clauses {f\® — > bj | j E 3}- Places in S carry the in- 
formation on which transition may actually put/consume a token from them (even on 
credit). The lending places are those places (a,f) where t — (X,c,@). Observe that a 
transition t = (X,a,z) puts a token in each place (a,x) with x ^ *, and all the transi- 
tions bearing the same labels, say a, are mutually excluding each other, as they share 
the unique input place (a, *). The initial marking will contains all the places in T x {*}, 
and if a token is consumed from one of these places then the place will be never marked 
again. Furthermore the lending places are never initially marked. 



12 




Fig. 6. Two contract nets constructed from PCL formulae. 



Example 6. Consider the PCL contract with formula a -» a (the other components are 
immaterial for the sake of the example). The associated LPN is in Fig. 6, left. The 
transition ({a}, a,®)), labeled a, can be executed at the initial marking, as the unmarked 
place in the preset is a lending place. The reached marking contains no tokens, hence it 
is honored. This is coherent with the fact that a^aha holds in PCL . 

Example 7. Consider the PCL contract with formula (p = (b -» a) A (a — > c) A (a — > b). 
The associated LPN is depicted in Fig. 6, right. The transitions are t\ = ({b},a, ®), 
h = ({a},c,0) and = ({a},b,0). Initially only t\ is enabled, lending a token from 
place (b,fi). This leads to a marking where both t 2 and are enabled, but only the 
execution of tj, ends up with an honored marking. The marking reached after executing 
all the actions is honored. This is coherent with the fact that (p h a A b A c holds in PCL . 

Since all the transitions consume the token from the places (a,*) (where a is the 
label of the transition), and these places cannot be marked again, it is easy to see that 
each transition may occur only once. Hence, the net associated to a contract is an oc- 
currence net. If two transitions t,t' have the same label (say a), then they cannot belong 
to the same state of the net. In fact, transitions with the same label share the same input 
place (a, *). This place is not a lending one, and has no ingoing arc, hence only one of 
the transitions with the same label may happen. The notion of correctly labeled net lifts 
obviously to contract nets. 

Proposition 4. For all PCL contracts G, 7(G) is a correctly labeled contract net. 

A relevant property of T is that it is an homomorphism with respect to contracts 
composition. Thus, since both | and © are associative and commutative, we can con- 
struct a physical contract from a set of logical contracts G\ ■ ■ ■ G n componentwise, i.e. 
by composing the contract nets CP(d ) • • • 7(G n ). 

Proposition 5. For all Gi , G 2 it holds that 3>(Gi \ G 2 ) ~ 7(Gi) 8 7(G 2 ). 

In Theorem 2 below we state the main result of this section, namely that our con- 
struction maps the agreement property of PCL contract into weak termination of the 
resulting contract net. To prove Theorem 2, we exploit the fact that C is a set of prov- 
able atoms in the logic iff (C, 0) is a configuration of the associated contract net. 

Lemma 1. Let G = (<p,.A,7C,Q) be a PCL contract, and let 7(G) = (0,A,K,£l). For all 
C C T, we have that (p h f\C iff there exists m S M(<9) such that ^(m) — (C,0). 
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Theorem 2. A PCL contract C admits an agreement iff ' 3 5 (C) weakly terminates in Q.. 

We now specialize Theorem 1 , which allows for compositional verification of chore- 
ographies. Assuming a choreography specified as a logical PCL contract C, we can (z) 
project it into the contracts of Ci • • • C„ of its participants, (z'z) construct the correspond- 
ing LPN contracts J'(Ci) • • • l ?(G n ), and (z'z'z) individually refine each of them into a 
service implementation. If the original choreography admits an agreement, then the 
composition of the services weakly terminates, i.e. it is correct w.r.t. the choreography. 

Theorem 3. Let C = Ci • • • | C„ admit an agreement, and let i2, be the goals o/C,-. If 
Di refines T(C,) for i G 1 ..n. Then, D\ © • • • © D n weakly terminates in £l\ U ■ ■ ■ U £l n . 

The notion of urgency in contract nets induces an ordering relation between the 
actions of the corresponding PCL contract. Consider e.g. the contract with formula 
(a — > b) A (b -» a). Indeed, by probing such formula with the logical entailment re- 
lation h, we can only deduce that both a and b are provable. Instead, by observing the 
corresponding contract net (N" ®N' in Fig. 3) we obtain more detailed information, i.e. 
that a is urgent in the initial state, while b becomes urgent after a has been performed. 

Theorem 4 below gives a logical characterization of urgent actions. This is obtained 
by a suitable rewriting of PCL contracts, which separates the urgent actions from 
the reachable ones. Given a PCL contract 6 with formula (p, in Theorem 4 we then 
relate the PCL formula [<p\u with the urgent actions of the contract net T(C). 

We now define an endomorphism of Horn PCL formulae. We assume the functions 
! : T ->■ T, R : 7 ->• T and 7 : 7 -> 7 be such that !T, R7 and U7 are pairwise disjoint. 
For a set X C 7 and a formula p = /\X, we denote with *p the formula f\{*e | e S X}, 
for * € {l,R,U}. Below, we denote with atoms ((p) the set of all atoms of the formula (p, 
and we assume that atoms(y) n *(T) = 0, for* e {!,/?, U}. 

Definition 22. The endomorphism [-]u of Horn PCL formulae is defined as follows: 

[Ai(Pi ° a;)]u = A; \pi ° a,]u A 4>(U,atoms(/?i o a,)) /or o e {->, ^»} 

3>(X) = A{!a^/7a | a e X} A A{^a ^ ^a | aeX} 
\p -> a] u = (/fy> Ra A \p -> f/a) 
[p-»a] u = (^P ^> 7a) 

Given a PCL contract 6 = (cp, • • •) and a set of actions C already performed, an 
action a is urgent in T(e) iff 7a is provable in [cp]u . 

Theorem 4. For a/Z PCL contracts G = (y,A,n,Q.), and for all C C 7: 

aelt c (T(e)) ^ [cp] u ,!Ch7a 

7 Related work and conclusions 

We have investigated how to compile logical into physical contracts. The source of the 
compilation is the Horn fragment of Propositional Contract Logic [5], while the target is 
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a contract model based on lending Petri nets (LPNs). Our compilation preserves agree- 
ments (Theorem 2), as well as the possibility of protecting services against misbehavior 
of malevolent services. LPN contracts can be used to reason compositionally about the 
realization of a choreography (Theorem 3), so extending a result of [16]. Furthermore, 
we have given a logical characterization of those urgent actions which have to be per- 
formed in a given state. This notion, which was only intuitively outlined in [5], is now 
made formal through our compilation into LPNs (Theorem 4). 

Contract nets seem a promising model for reasoning on contracts: while having a 
clear relation with PCL contracts, they may inherit as well the whole realm of tools that 
are already available for Petri nets. 

The notion of places with a negative marking is not a new one in the Petri nets 
community, though very few papers tackle this notion, as the interpretation of a place 
with negative tokens is rather difficult. In this paper we have used it to model situa- 
tions where actions are in a circular dependency, like the ones arising in PCL contracts. 
Lending places model the intuition that an action can be performed on a promise, and 
a negative token in a place can be interpreted as the promise made, which must be, 
sooner or later, honored. Indeed, the net obtained from a PCL contract is an occurrence 
net which may contain cycles, e.g. in the net of Ex. 7 the transition t\ depends on t$, 
which in turn depends on fi (and to execute fi we required to lend a token which is 
after supplied by tj). In [15] the idea of places with negative marking is realized using 
a new kind of arc, called debit arcs. This choice does not match with our intuition, and 
furthermore, under suitable conditions, makes the nets with debit arcs Turing powerful, 
whereas in our case we do not add expressivity. 

Acknowledgments. We wish to thank Philippe Darondeau and Roberto Zunino for use- 
ful discussion and suggestions on the topics of the paper. This work has been partially 
supported by the Aut. Region of Sardinia under grants L.R.7/2007 CRP2-120 (Project 
TESLA) CRP-17285 (Project TRICS), and P.I.A. 2010 (Project "Social Glue"). 

References 

1. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in dis- 
tributed systems. ACM Transactions on Programming Languages and Systems, 4(15), 1993. 

2. M. Abadi and G. D. Plotkin. A logical view of composition. TCS, 114(1), 1993. 

3. M. Armbrust et al. A view of cloud computing. Comm. ACM, 53(4):50-58, 2010. 

4. M. Bartoletti, T. Cimoli, G. M. Pinna, and R. Zunino. An event-based model for contracts. 
In Proc. PLACES, 2012. 

5. M. Bartoletti and R. Zunino. A calculus of contracting processes. In LICS, 2010. 

6. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract for dis- 
tributed multiparty interactions. In CONCUR, 2010. 

7. M. Bravetti, I. Lanese, and G. Zavattaro. Contract-driven implementation of choreographies. 
In Proc. TGC, pages 1-18, 2008. 

8. M. Bravetti and G. Zavattaro. Contract based multi-party service composition. In Proc. 
FSEN, pages 207-222, 2007. 

9. M. Bravetti and G. Zavattaro. Towards a unifying theory for choreography conformance and 
contract compliance. In Software Composition, 2007. 



15 



10. G. Castagna, N. Gesbert, and L. Padovani. A theory of contracts for web services. ACM 
Transactions on Programming Languages and Systems, 31(5), 2009. 

11. D. Garg and M. Abadi. A modal deconstruction of access control logics. In FoSSaCS, 2008. 

12. T. T. Hildebrandt and R. R. Mukkamala. Declarative event-based workflow as distributed 
dynamic condition response graphs. In Proc. PLACES, 2010. 

13. K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types. In POPL, 
2008. 

14. C. Prisacariu and G. Schneider. A dynamic deontic logic for complex contracts. The Journal 
of Logic and Algebraic Programming (JLAP), 81(4), 2012. 

15. P. D. Stotts and P. Godfrey. Place/transition nets with debit arcs. Inf. Proc. Lett, 41(1), 1992. 

16. W. M. P. van der Aalst, N. Lohmann, P. Massuthe, C. Stahl, and K. Wolf. Multiparty con- 
tracts: Agreeing and implementing interorganizational processes. Comput. J., 53(1), 2010. 

17. R. J. van Glabbeek and G. D. Plotkin. Configuration structures. In LICS, 1995. 



16 



A Proof system for PCL 



■(ID) r ' " ?' p ' q (Cut) 
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T,pAq^r r,pAq\-r r h pA? 
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r,pV<? h r 
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T, p^> q h r 



Fig. 7. Genzten-style proof system for PCL. 
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